965f283fd8b82e737109499811f5735781a10fb423ced4c387578c6d336f7dc9

General

Target

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
Size

12KB
MD5

683e551837bbd87011342a6cc5265a30
SHA1

360bf01eefbb719f67495e4ffbceb251157921ff
SHA256

965f283fd8b82e737109499811f5735781a10fb423ced4c387578c6d336f7dc9
SHA512

46ba045fec254862c6f459229c14b2df9a10ca6eca3afb040fc58376c0567b7e6a1e9435fdcab6b69c3781b6e34405dc13b5a9e7a4ab895b0b86aadffb82bc6d
SSDEEP

384:DL7li/2zDq2DcEQvdhcJKLTp/NK9xa4b:H/M/Q9c4b

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1382.tmp.exe

pid process

2888 tmp1382.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1382.tmp.exe

pid process

2888 tmp1382.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

pid process

2416 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2416 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

pid	process
2888	tmp1382.tmp.exe

pid	process
2888	tmp1382.tmp.exe

pid	process
2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2416 wrote to memory of 2864	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 2416 wrote to memory of 2864	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 2416 wrote to memory of 2864	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 2416 wrote to memory of 2864	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 2864 wrote to memory of 2604	2864	vbc.exe	cvtres.exe
PID 2864 wrote to memory of 2604	2864	vbc.exe	cvtres.exe
PID 2864 wrote to memory of 2604	2864	vbc.exe	cvtres.exe
PID 2864 wrote to memory of 2604	2864	vbc.exe	cvtres.exe
PID 2416 wrote to memory of 2888	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp1382.tmp.exe
PID 2416 wrote to memory of 2888	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp1382.tmp.exe
PID 2416 wrote to memory of 2888	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp1382.tmp.exe
PID 2416 wrote to memory of 2888	2416	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp1382.tmp.exe

C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncaymtgr\ncaymtgr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE97994EF9562437EAD64A5D05990F067.TMP"
3⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\tmp1382.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1382.tmp.exe" C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ba1cdf11be5b85de4aca2e2fbb21c9c3

SHA1
a7a1ab34ab6c7e82f11541a8343bd1f53b0175e4

SHA256
029ba1067b4c234a3377fbe470cf121c936d80a84db09306cc20234e9bd9c24f

SHA512
41f78ed4ea09ed18ce03b8dadff0bc9597c513f28201e072bc52378adad3e0219d214e2f96b9f9d4bd8ae16ca633372f29515cc790d39d8ce9d161b7177f26cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES14A9.tmp

Filesize
1KB

MD5
2aedc12495ebcd4a12b96c94b64be9fd

SHA1
30a6e372a48cdb57a5f3b20b9f725b7398b82377

SHA256
6a94224e6d37fc5671f44f337d53a7310df31d56a1e47ac949845665ee2f1353

SHA512
d8f6af9baf6848babbee7c1169e966f90fad348612c10c3d71fabb58c6d01ac1a30b373339af34f65f62a58e1c538cad120e0566919f1de957ecee39ec20f834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncaymtgr\ncaymtgr.0.vb

Filesize
2KB

MD5
3dd20d980bd5507f7f8b2c950ace073b

SHA1
d464d8cd39f30030a3fc3c4b1f5116cdaa7a8e1c

SHA256
b524575a3f68b60d62dc9655a59166a43f32669264d0714998fa35dbf5d02e31

SHA512
1493b95fbc9c080c7ca593fa5129670ee9808c066f712264c5f11b663a8714119b8e076982fd7cda9935b7796fbcb8c2d068bb0601b2db6a9905c57115534a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncaymtgr\ncaymtgr.cmdline

Filesize
273B

MD5
a8f2fe864dc1fa334adaae79e8424bab

SHA1
3ddfb08c7506bcb3161d7efe06edd262eeff98eb

SHA256
0889de0bb81ad374bc9161f368608bdb184377846af25346562bdc3d6c0aae9f

SHA512
94fc593626c76554c1282f6e164c866b5482cacf08ecd72188227312ca641bc70040280e0b52f42223e606c0edcc1f5e901480b11b1c7baa5f9a8fdf90a9fe12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1382.tmp.exe

Filesize
12KB

MD5
fb73adaa06c42e750329f90483e66200

SHA1
0830e36de4efff1e3bdcb597c7fc222813ed75ac

SHA256
5173010aa481b348803170bdf34a54d19a59bc7890a5452dd25cf2d8fd4376e8

SHA512
a5f74df16f6b78a5a990989284b5784d710571a247d61f0a61848dfb66842119e8f1ae91ba924abf1b05d970201f7ed8bbe3288a983a68d961e06daf22552ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE97994EF9562437EAD64A5D05990F067.TMP

Filesize
1KB

MD5
1e1930b3345c703778272064d7107071

SHA1
651ae8f5b9826827e16d9a1054ee47a8881bb25b

SHA256
b8e87432c8c491abe88cde14b910ed6a760010d25f3ba8a519b3e44858a87a4b

SHA512
57c296d8c15af01e5afc56271235ddfabf6159babbd89cb7d37238b2b0aca2cdc694ad204eee07ab35ea198098ddbb112142cb4cbb09675e1bc229ca62531a70

Download Submit
memory/2416-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2416-7-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-24-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-23-0x0000000001170000-0x000000000117A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing